Authentication
Authentication
Wireless clients can be authenticated for network access by checking their MAC address against
the local database configured on the access point, or by using a database configured on a central
RADIUS server. Alternatively, authentication can be implemented using the IEEE 802.1X network
access control protocol.
Client station MAC authentication occurs prior to the IEEE 802.1X authentication procedure
configured for the access point. However, a client's MAC address provides relatively weak user
authentication, since MAC addresses can be easily captured and used by another station to break
into the network. Using 802.1X provides more robust user authentication using user names and
passwords or digital certificates. So, although you can configure the access point to use MAC
address and 802.1X authentication together, it is better to choose one or the other, as appropriate.
Use MAC address authentication for a small network with a limited number of users. MAC
addresses can be manually configured on the access point itself without the need to set up a
RADIUS server. Use IEEE 802.1X authentication for networks with a larger number of users and
where security is the most important issue. For 802.1X authentication a RADIUS server is required
in the wired network to control the user credentials of the wireless clients.
The access point can also operate in an 802.1X supplicant mode. This enables the access point itself
to be authenticated with a RADIUS server using a configured MD5 user name and password. This
prevents rogue access points from gaining access to the network.
4-14 Advanced Configuration